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Abstract. In this paper, we present a new identity-based encryption (IBE) scheme 
using bilinear pairings. Our IBE scheme enjoys the same Key Extraction and De- 
£Nj cryption algorithms with the famous IBE scheme of Boneh and Franklin (BF-IBE 

CNl . for short), while differs from the latter in that it has modified Setup and Encryption 

algorithms. 

Compared with BF-IBE, we show that ours are more practical in a multiple private 
key generator (PKG) environment, mainly due to that the session secret gm could 
\mJ ' be pre-computed before any interaction, and the sender could encrypt a message 

ryj i using gm prior to negotiating with the intended recipient (s). As an application 

O ■ of our IBE scheme, we also derive an escrowed ElGamal scheme which possesses 

certain good properties in practice. 
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The idea of identity (ID) -based cryptography was first introduced by Shamir in 1984 [7]. 
The basic idea behind an ID-based cryptosystem is that end users can choose an arbitrary 



string, for example their email addresses or other online identifiers, as their public key. 
The corresponding private keys are created by binding the identity with a master secret 
of a trusted authority (called private key generation, or PKG for short). This eliminates 
much of the overhead associated with key management. 
$_i ' In 2001, Boneh and Franklin [2] gave the first fully functional solution for ID-based 

encryption (IBE) using the bilinear pairing over elliptic curves. Based on pairings, Sakai 
and Kasahara presented another IBE (SK-IBE for short) scheme by using another Key 
Extraction algorithm in 2003 [8]. However, the Boneh- Franklin scheme (BF-IBE for short) 
has received much more attention in recent years. 

In this paper, we give a new IBE scheme based on bilinear pairings. Our scheme has 
the same Key Extraction and Decryption algorithms with BF-IBE, while differs from the 
latter in that it has different Setup and Encryption algorithms. We show that ours are more 
practical in a multiple private key generator (PKG) environment. Parallel to [2], we also 
derive an escrowed ElGamal [4] encryption scheme from our IBE scheme. Furthermore, we 
show how the derived ElGamal encryption enables a dual decrptor public key encryption 
(PKE) scheme. 

We note that SK-IBE due to Sakai and Kasahara [8] has a better performance than 
BF-IBE and ours. Especially, SK-IBE are also very practical in multiple PKG environ- 
ments. However, its applicability to some circumstance are not comparable to BF-IBE, 
e.g. , it seems very hard to derive from it an escrowed ElGamal encryption scheme. In this 
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regard, we do not compare the new IBE with SK-IBE for now. 

Paper Organization. The rest of this paper is structured as follows. In the next section, 
we give the necessary definition for bilinear pairings. Section 3 describes our IBE scheme. 
In Section 4, we present a new escrowed ElGamal encryption scheme. Section 5 contains 
a brief conclusion and indicates our ongoing work. 

2 Bilinear Pairings 

In this section, we describe in a more general format the basic definition and properties of 
the pairing: more details can be found in [2], 

Let Gi be a cyclic additive group generated by an element P, whose order is a prime 
p, and G2 be a cyclic multiplicative group of the same prime order p. We assume that the 
discrete logarithm problem (DLP) in both Gi and G2 are hard. 

Definition 1. An admissible pairing e is a bilinear map e : Gi x Gi — > G2, which satisfies 
the following three properties: 

1. Bilinear; If P,Q e Gi and a,b G Z*, then e(aP, bQ) = e(P, Q) ab ; 

2. Non-degenerate: e(P, P) ^ I; 

3. Computable: If P,Q G Gi , one can compute e(P,Q) G G2 in polynomial time. 

3 New IBE Scheme and Its Fitness for Multiple PKG 
Environments 

For the problem of inherent key escrow, the difficulty of establishing secure channels for 
private key distribution, and to avoid the single point of failure of using only one PKG, 
it is well-known that (single-PKG) IBE is only well suitable for use in relatively small 
and close organizations, i.e. with each organization has its own private key generator, 
generating private keys for the principal within its domain. 

For an IBE to be used in a multiple PKG environment (or, cross domains), all that is 
needed is the availability of standard pairing- friendly curves and a common group generator 
point P. We note that this is a reasonable requirement. In fact, elliptic curves, suitable 
group generator points and other cryptographic tools have been standardized for non-IBE 
applications, for example in the NIST FIPS standards [6]. Once these group generator 
points and curves have been agreed upon, each PKG can generate its own random master 
secret. 

3.1 Description of the Scheme 

Let Gi and G2 be groups of prime order p, and let e : Gi x Gi — > G2 be the bilinear 
pairing. P is a generator points of Gi. The IBE system works as follows. 

Setup. Given a security parameter k, the PKG does the following: 

1. Chooses a random s G Z p , calculates Pp u b = s~ x P G Gi L . 

2. Picks a cryptographic hash functions ifi : {0, 1}* — > G 1; a cryptographic hash function 
if 2 : G2 — > {0, 1}™ for some n. 



1 Note that in BF-IBE, the public key of PKG is P Pub = sP G Gi instead. 
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The message space is M — {0, 1}™. The ciphertext space is C = G* x x {0, 1}™. The 
public params are < q, G%, G2, e, P, Pp u b, n, Hi, Hi > and the master key is s. 

Key Extraction. This algorithm is identical to that of BF-IBE. To generate a private key 
for identity ID £ {0, 1}*, the PKG first computes Q ID — Hi(ID) E G*, and then sets the 
private key diD to be diD — sQid where s is the master key. 

Encryption. To encrypt message m € M., the sender picks randomly are Z p , using the 
receiver's identity ID to compute Qid = Hi(ID) £ G*, sets the ciphertext to be 

C = {rPp ub , m © H 2 (g r ID )}, where 5/D = e(P, Q ID ) S G^. 

Decryption. This algorithm is identical to that of BF-IBE. To decrypt a ciphertext C = 
(U, V) € C, using the private key diD of the identity ID computes 

m = V®H 2 {e(U, d ID )). 

Consistence: The recipient can correctly decrypt C to get m since 

e(U, dm) 
= e(rs- 1 P, sQ ID ) 
= e(P,Q ID ) r . 

3.2 Its Fitness for Multiple PKG Environments 

As mentioned above, an IBE scheme is often used across multiple PKGs, namely for each 
organization (e.g., a company), it has its own PKG. In many cases, a principal may need 
to encrypt messages to principals from different domains. For example, for a salesman 
of company A, he may need to encrypt messages to Bob from company B, Carol from 
company C , or Emmy who he does not know which company she is belonging to by now. 

Now we compare our new IBE with BF-IBE [2] in such an environment. The Setup 
algorithm in our IBE requires one more fast inverse operation in Z p than BF-IBE, and 
the Key Extraction and Decryption algorithms in the two IBE schemes are the same. In the 
following, we discuss what significance our different Encryption algorithm could bring in 
practice. 

In BF-IBE [2], the session secret, i.e. th term gm is computed as gin — e(Pp u b, Qid), 
in which Pp u b is the public key of the intended receiver's PKG. We emphasize that in a 
multiple PKG environment, before computing the second part of the ciphertext, i.e. V, 
and especially, the term gip> (requires a relatively expensive pairing evaluation) which are 
the main operations of the overall encryption, BF-IBE requires the sender to first get to 
know the following two things: 

— which organization the receiver is from, and 

— the public key associated with the corresponding PKG. 

Compared with BF-IBE, the biggest difference of our IBE is that in the Encryption algo- 
rithm, the terms V and especially, gip> ~ e(P, Qid) are computed independently from 
any PKG's public key. Consequently, in our IBE, the sender can compute the pairing (and 
V) before getting the public key of the receiver's PKG, in the case that (s)he knows which 
organization the receiver is from. Interestingly, the sender can even pre-compute gio and 
V before (s)he knows which organization the receiver is from! 
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Therefore, our scheme enables a type of efficient "on the move" IBE in a multiple PKG 
environment, which requires very small on-online work for the sender (i.e. encryptor). 

We emphasize that this feature is particularly useful in (ID-based) broadcasting (or 
multiple-recipient) encryption scenario, namely with most of the expensive computation 
pre-computed, the overall performance will be upgraded to a large extent. 

4 Escrowed ElGamal Encryption 

Parallel to [2], in this section we introduce a new ElGamal encryption system in which a 
single escrow key enables the decryption of ciphertexts encrypted under any public key. 

Description of the Scheme: 

Our ElGamal escrow encryption works as follows: 

Setup. Given a security parameter k, the escrow authority (EA) does the following: 

1. Chooses a random s € Z p , calculates two points Q\ — sP and Q 2 = s _1 P G Gi 2 . 

2. Chososes a cryptographic hash functions H : G 2 — > {0, 1}" for some n. 

The message space is M = {0, 1}". The ciphertext space is C = G\ x {0, l} n . The 

public params are < q, Gi, G2, e, n,P,Qi,Q 2 ,H > and the escrow key is s. 
Key Generation. Same as in [2], a user generates a public/private key pair for herself 

by picking a random x £ Z 9 and computing Pp ub — xP € Gi. Her private key is x, 

her public key is Pp ub . 
Encryption. To encrypt message m 6 M, the sender picks randomly a r £ Z p , sets the 

ciphertext to be 

C = {rQ 2 , m H 2 {g r )), where g = e(P, P Pub ) £ G|. 

Decryption. To decrypt a ciphertext C = (U, V) 6 C, using the private key x of the 
identity ID computes 

m= V®H 2 (e{U, xQ x )). 

Escrow Decryption. To decrypt a ciphertext C — (U, V), using the escrow key s of the 
EA computes 

m = V®H 2 {e(U, P Pm6 ) s ). 

Consistence: The two recipients can correctly decrypt C to get m since 

e(U, xQi) 
= e(rQ 2 , xQi) 
= e(rs~ 1 P, xsP) 
= e(rP, xP) 

= e(P, p Pub y 

= 9 r 

and 

e(U, P Pub ) s 
= e(rs- 1 P, P Pub y 
= e(rP, P Pub ) 
= e(P, P Pub ) r 



2 Note that in BF-IBE, the public key of EA is one point Q = sP g Gi instead. 
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Compared with the scheme in [2] , our escrow ElGamal requires the EA to publish one 
more point as its public key. An advantage of our scheme is that the sender can choose a 
designated EA (from multiple EAs) after (s)he finished most of the operations of encrypt- 
ing a message. This provides the sender with more flexibility in practice. 

A Simple and Direct Application: 

If we look the escrow authority (EA) in the above escrowed ElGamal scheme as an 
ordinary principal (who has his/her own private and public key pair), it can be then used 
as a dual decryptor PKE scheme, i.e., a single ciphertext can be decrypted independently 
by two different principals. However, unlike in conventional setting, we require at least one 
of the recipient to publish two points (e.g. Y\, Y2) as his/her public key, in the form of 
Y\ = aP and Y2 = aT x P (assuming a is the private key of the recipient). 

A good property of this scheme is that the sender can encrypt the message before (s)he 
picks up the second recipient. In other words, after the encryption has been down, the 
sender can change his/her mind on who the second recipient will be. 

More interestingly, the sender can efficiently add more such "second recipient", each 
time (s)he adds one, only one scalar multiplication is needed, without any expensive pairing 
computation. However, we note that the size of the ciphertext will grow linearly. 

5 Conclusion and Ongoing Work 

The rapid world-wide development of electronic transactions, largely associated with the 
growth of the Internet, stimulates a strong demand for fast, secure and cheap public 
key schemes. In this paper, we gave a practical IBE scheme suitable for multiple PKG 
environments. Additionally, we proposed a related escrow ElGamal encryption scheme. 

Ongoing work includes studying the formal security of the proposed two encryption 
schemes, namely to prove the security of them in the random oracle model [3] (provided 
that the Bilinear Diffie-Hellman (BDH) problem is hard), and exploring its merits in 
constructing Certificate-Based Encryption (CBE) [5] and Certificateless Public Key En- 
cryption (CL-PKE) schemes [1]. 
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